The Regulators Are Coming for Your Washing Machine App

The regulators are coming for your washing machine app, and they’re not happy with silence over security. We’re constantly seeing news of IoT hacks and breaches from routers DDoSing minecraft servers, babies being spied on via baby monitors, and cars being taken over. So perhaps it is not surprising to see regulation come into play requiring manufacturers to take steps to prevent security breaches. Last month on the 29th of April 2024 we saw the UK legislation come into force, the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. These two pieces of legislation target the IoT device supply chain, requiring manufacturers to take steps to secure their hardware.However, this doesn’t just stop at hardware. Software, either pre-installed on devices or software that is installed on a user’s device, is covered. This means that mobile applications and their associated APIs, including third-party APIs and similar services that may provide functionality like telemetry data, are also included.

Passwords, API Keys and Cryptography

One of the most widely discussed aspects of the PSTI Act is the requirements around authentication, prohibiting manufacturers from having universal default passwords on devices, these often remain unchanged and can grant an attacker access, however, passwords aren’t the only authentication mechanism that’s being regulated. PSTI includes a requirement for the secure storage of sensitive security parameters like API keys, provision 5.4-3 specifically forbids hard-coded API keys in the source code, instead, manufacturers should encrypt or obfuscate any API keys. Encryption is an important aspect of the PSTI Act and consumer IoT devices should use best-practice cryptography. While the regulation does not specify a specific form of encryption simply leaving the provision as “Communicate securely”, whether that be a password, QR code, or one-time password, should be encrypted in transit and at rest.

Vulnerability Management and Updates

A welcome change for consumers and security researchers is the requirement to have a vulnerability management process, provision 5.2 requires manufacturers to implement a means to manage reports of vulnerabilities. Vulnerability disclosure programs have had a lot of the spotlight in security regulations with CISA launching BOD-20-01 in 2020 requiring federal agencies to have a vulnerability management program and in the UK the NCSC offers a vulnerability disclosure toolkit for businesses. A vulnerability management program simply offers some way of accepting vulnerability reports, from email to more formal bug bounty programs, a place for security researchers to see that such as a security.txt file, and lets reporters know the status and when a fix is available. For PSTI the first provision requires a vulnerability disclosure policy to be made available, this policy should include where to report issues and timelines for typical resolution times. When a vulnerability is disclosed it should be resolved in a timely manner, this time can vary but the standard 90 days for software issues is suggested. Finally, manufacturers should regularly test and monitor their products for security vulnerabilities, including third-party software and regularly update their own applications and APIs and third-party software.

Privacy and Personal Data

Privacy and data protection in IoT devices have come under scrutiny before. In 2023, The Mozilla Foundation put out a scathing report on smart functionality in cars and their associated apps and APIs, calling them the worst product category they have reviewed for privacy. While there are existing pieces of legislation like GDPR, the provisions in PSTI reinforce the same idea. The data protection provisions include providing information about what personal data is collected, how it is processed, who uses it, and for what purposes, including advertising, with a clear, valid way for consumers to consent and withdraw this consent, however also includes the same provision for device telemetry data.

Attack Surfaces and Integrity

You can’t secure what you don’t know, and whether that’s a manufacturer’s attack surface or software integrity, unknown-unknowns are also a high priority in PSTI. Manufacturers need to ensure they adopt the principle of least privilege (that a user should only have access to what they need and nothing more), in their software and in the IoT hardware itself, whether that’s ensuring that an API endpoint has appropriate access control or a physical USB port doesn’t allow access to debug commands unless intended. Manufacturers also need to verify software has not been changed either by an attacker, whether that is providing secure boot mechanisms or the settings of a light or thermostat of another user, informing the user of any changes that have been made so they can act upon it.The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the accompanying Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 represent a significant step forward in ensuring the security of consumer connectable products in the UK. These regulations mandate that manufacturers of such products comply with baseline security requirements when selling to UK consumers12.While it’s tempting to dismiss these requirements as mere good practice or only relevant to the UK market, there are compelling reasons for immediate compliance worldwide, especially for IoT manufacturers:

1. Global Influence: The PSTI Act and Regulations are likely to serve as a blueprint for similar legislation in other countries. As the world becomes increasingly interconnected, governments worldwide recognize the need to safeguard their citizens from cyber threats. By adhering to these standards now, manufacturers position themselves ahead of the curve, anticipating future regulatory trends.
2. Beyond Physical Access: It’s true that some critics argue that an attacker needs physical access to exploit vulnerabilities in connectable products. However, this perspective overlooks the broader attack surface. APIs (Application Programming Interfaces) play a crucial role in connecting devices and services. A compromised API can lead to unauthorized access, data breaches, and other security incidents. Therefore, compliance isn’t just about physical access—it’s about securing the entire ecosystem. 

In summary, while the PSTI Act and Regulations are indeed good practice, they are also strategic imperatives. Manufacturers should prioritize compliance not only for the sake of UK consumers but also to set a precedent for global cybersecurity standards. By doing so, they contribute to a safer digital landscape for all.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API protection in a cloud-first, API-driven world. Traceable is the only contextually-informed solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, visit https://www.traceable.ai/.